PatchSiren cyber security CVE debrief
CVE-2023-6677 Oduyo Financial Technology CVE debrief
A critical SQL injection vulnerability in Oduyo Financial Technology Online Collection allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise. The vulnerability affects all versions prior to 1.0.2. The issue was disclosed in February 2024 and modified in May 2026. Organizations using affected versions should upgrade immediately to version 1.0.2 or later.
- Vendor
- Oduyo Financial Technology
- Product
- Online Collection
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-09
- Original CVE updated
- 2026-05-20
- Advisory published
- 2024-02-09
- Advisory updated
- 2026-05-20
Who should care
Organizations using Oduyo Online Collection for financial payment processing; security teams in financial services and collection agencies; database administrators managing Online Collection deployments; compliance officers responsible for PCI-DSS or financial data protection standards
Technical summary
CVE-2023-6677 is an unauthenticated SQL injection vulnerability in Oduyo Financial Technology's Online Collection software. The application fails to properly neutralize special elements in SQL commands (CWE-89), allowing attackers to inject malicious SQL statements without authentication. With a CVSS score of 9.8, this vulnerability enables remote attackers to read, modify, or delete arbitrary database contents, potentially compromising sensitive financial collection data. The attack vector is network-based, requires no privileges or user interaction, and can result in complete confidentiality, integrity, and availability loss. The vulnerability was addressed in version 1.0.2.
Defensive priority
critical
Recommended defensive actions
- Upgrade Oduyo Online Collection to version 1.0.2 or later immediately
- Review database access logs for suspicious SQL query patterns from 2024-02-09 onward
- Implement parameterized queries and prepared statements for all database interactions
- Apply principle of least privilege to database accounts used by the application
- Deploy web application firewall (WAF) rules to detect and block SQL injection attempts
- Conduct security assessment of all input validation mechanisms in the application
Evidence notes
The vulnerability is classified as CWE-89 (SQL Injection) with a CVSS 3.1 score of 9.8 (Critical). CPE criteria confirm affected versions are all releases before 1.0.2. USOM issued a third-party advisory documenting this vulnerability.
Official resources
-
CVE-2023-6677 CVE record
CVE.org
-
CVE-2023-6677 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2023-6677 was published on 2024-02-09 and last modified on 2026-05-20. The vulnerability was reported through the Turkish National Cyber Security Incident Response Center (USOM) as advisory TR-24-0100.